Hello! Suppose I have machine with 256Mb of RAM and 256Mb flash ATA disk-on-module. What configuration (using RELENG_4) should I select: 1. No swap at all. 2. /dev/md0 (default 10Mb) added as a swap device. In other words, does RELENG_4 kernel work stable and robust w/o swap or should I provide a minimum-size swap device? Which configuration (1 or 2) will give more robustness in case of physical memory shortage? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE
Hi list how can I remove one specific active ipnat session? ipnat -rf [file] remove only rules from list, but all sessions still active
Hello! On Fri, 3 Mar 2006, Jeremy Bogan wrote:>> In other words, does RELENG_4 kernel work stable and robust w/o swap or >> should I provide a minimum-size swap device? Which configuration (1 or 2) >> will give more robustness in case of physical memory shortage? > > I've got 4.11 running on a Geode based setup with 128MB RAM and a 64MB flash > on chip, works a treat with no swap.I'm running some heavy tests on my machine (256Mb RAM, HDD, no swap, 4.11-RELEASE) such as "make buildwolrd". After successful completion of this procedure I issued "rm -rf /usr/obj/usr" and got the following (single) message from kernel: Mar 3 11:05:32 test3 /kernel: swap_pager_getswapspace: failed Does anybody know whether it's harmless? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE
In this case I'd just ignore swap. Since /dev/md0 is only a memory disk anyway, you don't really buy anything by having it as swap as opposed to unallocated RAM. Just make sure that all your running programs are able to fit in the 256Mb of RAM you have, otherwise processes will fail to start or others will die when they need to allocate additional RAM. I'm running FreeBSD in 64Mb with no swap and it works fine. A few sysctls that I've found helpful for running without swap: vm.swap_enabled=0 vm.disable_swapspace_pageouts=1 kern.ipc.shm_use_phys=1 -Proto Dmitry Pryanishnikov wrote:> Hello! > > Suppose I have machine with 256Mb of RAM and 256Mb flash ATAdisk-on-module.> What configuration (using RELENG_4) should I select: > > 1. No swap at all. > 2. /dev/md0 (default 10Mb) added as a swap device. > > In other words, does RELENG_4 kernel work stable and robust w/o swap or > should I provide a minimum-size swap device? Which configuration (1 or 2) > will give more robustness in case of physical memory shortage? > > Sincerely, Dmitry
Hello! On Fri, 10 Mar 2006, Michael Proto wrote:>> dmitry@test$ ps axu |grep ssh >> root 20213 0.0 1.3 54724 3356 ?? Is 4:00PM 0:00.10 sshd: dmitry >> [priv] >> dmitry 20216 0.0 1.3 54724 3356 ?? I 4:00PM 0:00.03 sshd: >> dmitry@tty >> root 20229 0.0 1.3 54724 3356 ?? Ss 4:00PM 0:00.10 sshd: dmitry >> [priv] >> dmitry 20232 0.0 1.3 54724 3356 ?? S 4:00PM 0:00.03 sshd: >> dmitry@tty >> >> It's the result of 2 incoming OpenSSH sessions: 2 processes per session, > > You're correct, I could have sworn that sshd ran as the sshd user with the > (somewhat) new privsep settings but it appears that I'm mistaken. My onlyOne of OpenSSH's sshd processes actually runs under 'sshd' user, but only during authentication phase. That's how it looks at this point in up-to-date 6.1-PRERELEASE: root 953 1.5 0.5 4420 2616 ?? Ss 2:11AM 0:00.04 sshd: dmitry [priv] (sshd) root 637 0.0 0.5 2880 2332 ?? Ss 2:05AM 0:00.00 /usr/sbin/sshd sshd 954 0.0 0.5 4284 2464 ?? S 2:11AM 0:00.02 sshd: dmitry [net] (sshd) root 959 0.0 0.5 4424 2620 ?? S 2:11AM 0:00.00 sshd: dmitry [pam] (sshd) (pid=637 is the main dispatcher process). 3 processes per connection, 2 of them running as root! Looks as an ideal model for DoSers ;) I still prefer good old SSH.COM's sshd: single (although root's) and slimer (VSZ-wise) process per connection: root 574 0.0 0.4 2556 1948 ?? Ss 2:16AM 0:00.02 /usr/local/sbin/sshd2 -p 22 root 2033 0.0 0.4 2704 2156 ?? S 2:29AM 0:00.08 /usr/local/sbin/sshd2 -p 22 (again, pid=574 is the dispatcher). Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE
Dmitry Pryanishnikov wrote:> On Sat, 4 Mar 2006, Peter Jeremy wrote: >> Once you've received this message, the OS is free to kill your >> processes until it frees up some swap (which it can't do if you don't >> have any). I suggest you have a quick look through vm/swap_pager.c >> and vm/vm_pageout.c, looking at swap_pager_full andswap_pager_almost_full.> > This is still a concern for me. IMHO it would be useful to have theability> to disable process killing due to the lack of swap, because having this > enabled on e.g. transit router can lead to very unpleasant scenario.Imagine> someone DoS-attacks it's sshd, and kernel kills the process with thelargest> RSS - it could e.g. be a vital part of the routing software(zebra/ripd/bgpd),> and killing this process will render our router unreachable and unusable! > > Sincerely, DmitryMy suggestion would then be to utilize resource limits in /etc/login.conf for the sshd user (in your example) or other user accounts for applications that you don't want running out of control. See login.conf(5) and login_cap(3) for more details on this. In particular, the datasize, stacksize, memoryuse, and vmemoryuse options may be of benefit. -Proto
>On Fri, 10 Mar 2006, Michael Proto wrote: >> My suggestion would then be to utilize resource limits in >> /etc/login.conf for the sshd user (in your example) or other user >> accounts for applications that you don't want running out of control. >> See login.conf(5) and login_cap(3) for more details on this. In >> particular, the datasize, stacksize, memoryuse, and vmemoryuse options >> may be of benefit. > > OK, I'm aware about this measure. But have your tried it yourself against, >e.g., OpenSSH? I doubt it. Look at the following: > >dmitry@test$ ps axu |grep ssh >root 20213 0.0 1.3 54724 3356 ?? Is 4:00PM 0:00.10 sshd: dmitry > [priv] >dmitry 20216 0.0 1.3 54724 3356 ?? I 4:00PM 0:00.03 sshd: > dmitry@tty >root 20229 0.0 1.3 54724 3356 ?? Ss 4:00PM 0:00.10 sshd: dmitry > [priv] >dmitry 20232 0.0 1.3 54724 3356 ?? S 4:00PM 0:00.03 sshd: > dmitry@tty > >It's the result of 2 incoming OpenSSH sessions: 2 processes per session, >one of them root's and another user's. SSH.COM's sshd always works as a root. >Also, during the DoS attack (simultaneous setup of many incoming TCP >connections to 22th port) there will be many root's processes like this: > >root 20278 0.0 1.1 52016 2884 ?? Is 4:07PM 0:00.04 sshd: > [accepted] > >Do you really advise to lower root's limits? I'm sure you don't ;) > > >Sincerely, Dmitry >-- >Atlantis ISP, System Administrator >e-mail: dmitry@atlantis.dp.ua >nic-hdl: LYNX-RIPEYou're correct, I could have sworn that sshd ran as the sshd user with the (somewhat) new privsep settings but it appears that I'm mistaken. My only other (albeit limited) suggestion would be to do something like inbound connection limiting that is available in pf to prevent the DOS-like scenarios you are mentioning. -Proto